US12443723B2ActiveUtilityA1

Collaborative software application static vulnerability detection

41
Assignee: SAP SEPriority: May 22, 2023Filed: May 22, 2023Granted: Oct 14, 2025
Est. expiryMay 22, 2043(~16.9 yrs left)· nominal 20-yr term from priority
G06F 21/54G06F 2221/033G06F 21/577
41
PatentIndex Score
0
Cited by
3
References
20
Claims

Abstract

Techniques for collaborative detection of software application static vulnerabilities are disclosed. Print statements are injected into the source code for a software application for each of its inputs and outputs. Vulnerability findings are obtained from two or more static analysis tools run against the modified source code. A determination is made that a first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function and it is determined that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on the vulnerability findings. The injection-modified source code is modified to include an assignment of the input to the output to obtain stitch-modified source code. Then vulnerability findings are obtained for the stitch-modified source code and they include new findings.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer system, comprising:
 one or more processors; 
 one or more machine-readable medium coupled to the one or more processors and storing computer program code comprising sets instructions executable by the one or more processors to: 
 obtain source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs; 
 inject print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code; 
 obtain two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool; 
 determine that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool; 
 determine that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool; 
 modify the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and 
 obtain two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings. 
 
     
     
       2. The computer system of  claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
 obtain two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and 
 compare the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings. 
 
     
     
       3. The computer system of  claim 1 , wherein the assignment of the input to the output is conditional on a random value generator. 
     
     
       4. The computer system of  claim 1 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function. 
     
     
       5. The computer system of  claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
 remove corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output. 
 
     
     
       6. The computer system of  claim 1 , wherein the computer program code further comprises sets of instructions executable by the one or more processors to:
 remove print statements correspond to an output when all print statements for corresponding inputs are removed. 
 
     
     
       7. The computer system of  claim 1 , wherein the source code is in a PHP Hypertext Preprocessor language and the print statements are echo operations. 
     
     
       8. A non-transitory computer-readable medium storing computer program code comprising sets of instructions to:
 obtain source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs; 
 inject print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code; 
 obtain two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool; 
 determine that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool; 
 determine that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool; 
 modify the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and 
 obtain two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings. 
 
     
     
       9. The non-transitory computer-readable medium of  claim 8 , wherein the computer program code further comprises sets of instructions to:
 obtain two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and 
 compare the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings. 
 
     
     
       10. The non-transitory computer-readable medium of  claim 8 , wherein the assignment of the input to the output is conditional on a random value generator. 
     
     
       11. The non-transitory computer-readable medium of  claim 8 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function. 
     
     
       12. The non-transitory computer-readable medium of  claim 8 , wherein the computer program code further comprises sets of instructions to:
 remove corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output. 
 
     
     
       13. The non-transitory computer-readable medium of  claim 8 , wherein the computer program code further comprises sets of instructions to:
 remove print statements correspond to an output when all print statements for corresponding inputs are removed. 
 
     
     
       14. The non-transitory computer-readable medium of  claim 8 , wherein the source code is in a PHP Hypertext Preprocessor language and the print statements are echo operations. 
     
     
       15. A computer-implemented method, comprising:
 obtaining source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs; 
 injecting print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code; 
 obtaining two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool; 
 determining that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool; 
 determining that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool; 
 modifying the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and 
 obtaining two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings. 
 
     
     
       16. The computer-implemented method of  claim 15 , further comprising:
 obtaining two or more sets of original vulnerability findings from the two or more respective static analysis tools run against the source code prior to modification; and 
 comparing the two or more sets of second vulnerability findings to the two or more sets of original vulnerability findings to identify a set of new findings. 
 
     
     
       17. The computer-implemented method of  claim 15 , wherein the assignment of the input to the output is conditional on a random value generator. 
     
     
       18. The computer-implemented method of  claim 15 , wherein the assignment of the input to the output is positioned in the injection-modified source code after the function. 
     
     
       19. The computer-implemented method of  claim 15 , further comprising:
 removing corresponding print statements when modifying the injection-modified source code to include an assignment of the input to the output. 
 
     
     
       20. The computer-implemented method of  claim 15 , further comprising:
 removing print statements correspond to an output when all print statements for corresponding inputs are removed.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.